Follow us

Description: This talk is the story of 0-day PDF attacks, the now famous gh0stnet ring and the disclosure debacle of the Adobe JBIG2 vulnerability in January and February 2009. This is the story of international cyber-espionage using 0-days and the fierce debate over how to defend networks in the face of prolonged periods of exposure to unpatched vulnerabilities.

We seek to answer the following questions in this talk: Who was behind the early 0-day attacks and are they the same as the gh0stnet report published in April 2009? Did disclosure of the Adobe JBIG2 vulnerability have an impact on targeted attacks? How effective were post-disclosure protections such as AV signatures, IDS signatures and workarounds?

Throughout the talk we dissect the 0-day artifacts and other events leading up to the partial disclosure of the JBIG2 vulnerability on February 19 by ShadowServer. Using a variety of 0day PDF samples we will analyze the 0-day attacks and attempt to correlate them to the attackers discussed in the recent paper Tracking GhostNet: Investigating a Cyber Espionage Network.

We will also look at the partial disclosure by ShadowServer and then full disclosure on the Sourcefire blog and assess the impact on targeted attacks. We will analyze the various malicious PDF's submitted to Virustotal to determine their lineage and relationship to either the original 0day exploit and gh0stnet or new attacks that sprang up in the wake of the disclosure. The analysis tools and techniques will be shared to aid future analysis efforts.

Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.